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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
10/14/2009 has been entered. 

Acknowledgements 

This is a non-final office action in response to the Applicant's Request for 
Continued Examination filed on 10/14/2009. 

Claims 1-26 are pending in this Office Action. No claims are amended or 
cancelled. 

Response to Applicant's Arguments 

Applicant's arguments with respect to the rejection of claims 1-14 and 24-26 
under 35 U.S.C. 101 have been considered but are unpersuasive. 
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Applicant's arguments with respect to the rejection of claims 1-26 under 35 
U.S.C. 103 have been considered but are moot in view of the new ground(s) of 
rejection. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 1-14 and 24-26 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

In order for a method to be considered a "process" under §101, a claimed 
process must either: (1) be tied to another statutory class (such as a particular 
apparatus) or (2) transform underlying subject matter (such as an article or materials). 
Diamond v. Diehr, 450 U.S. 175, 184 (1981); Parker v. Flook, 437 U.S. 584, 588 n.9 
(1 978); Gottschalk v. Benson, 409 U.S. 63, 70 (1 972). If neither of these requirements 
is met by the claim, the method is not a patent eligible process under §101 and is non- 
statutory subject matter. 

Claims 1 and 24 are directed towards a method for assessing risk within an 
organization. As the claims are not sufficiently tied to an apparatus, such as a 
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computer, and/or do not transform the underlying subject matter (from your claim) to a 
different state, the claimed method is non-statutory and therefore rejected under 35 
U.S.C. 101. 

Claims 2-14 and 24-26 are rejected for being dependent upon rejected claim 1 . 
Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

Claims 1, 6, 8, 14, 19, 21 and 23-26 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Heinrich (US 2003/0046128) in view of Tschiegg et al (US 
2003/0160818). 

With respect to claims 1 and 16, Heinrich teaches a computer-implemented 
method for assessing risk within an organization, comprising: 

conducting a respective impact assessment for each of said assets, each 
assessment comprising assessing the impact of the loss of said respective asset 
(paragraph 0013, regarding security risk being defined as determining the impact the 
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loss of the asset would have; paragraph 0030-0037, regarding the risk assessment 
regarding evaluating the security risk for an asset); 

assessing the risk level associated with an asset (paragraph 0036); 

conducting for each asset a respective assert risk assessment, comprising 
assessing the risk level associated with said respective asset independent of the 
respective zone of said respective asset (paragraph 0037). 

assessing risk on the basis of at least said impact assessment (paragraph 0030- 
0037, regarding the risk assessment regarding evaluating the security risk for an asset) 

Heinrich does not explicitly teach a zone risk assessment of the asset. However, 
Tschiegg teaches 

defining one or more zones, each of said one and more zones comprising an 
environment (paragraph 0009, regarding location identifiers, earthquake zones and 
flood zones); 

identifying one or more assets of said organization, each of said assets being 
located in a respective one of said zones (paragraph 0009, regarding risk management 
information within the zones, which include company assets; Figure 4. regarding the 
listed assets in the database); 
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conducting for each of said zones a respective zone risk assessment, comprising 
(paragraph 0058-0069, regarding the filter function that allows for customized reporting 
about specific risk management segments); 

conducting for each asset a respective asset risk assessment (paragraph 0009- 
0010, regarding risk management and reporting functions); 

assessing risk on the basis of at least said zone risk assessment and said asset 
risk assessments (paragraph 0009-0010, regarding risk management and reporting 
functions). 

It would have been obvious to one of ordinary skill in the art to include the 
business system of Heinrich with the ability to teach a zone risk assessment of the 
asset as taught by Tschiegg since the claimed invention is merely a combination of old 
elements, and in the combination each element merely would have performed the same 
function as it did separately, and one of ordinary skill in the art would have recognized 
that the results of the combination were predictable. 

As to claims 6 and 19, Tschiegg further teaches maintaining a register of said 
zones (paragraph 0009, regarding database of location and zone information). 

Regarding claims 8 and 21, Heinrich further teaches wherein each of said assets 
is information related (0049, regarding risk assessment of a computer network system). 
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Regarding claims 14 and 23, Heinrich further teaches including determining a 
measured risk for each asset, said measured risk for a respective asset comprising the 
product of 1) an impact level determined in said impact assessment and 2) the 
maximum of an asset risk determined in said asset risk assessment and an asset risk 
determined in said zone risk assessment (paragraph 0045-0048, regarding associating 
asset risk to risk levels and conducting a risk assessment). 

With respect to claim 24, Tschiegg further teaches a risk management method, 
comprising managing said risk (paragraph 0003, regarding managing risk). 

As to claim 25, Heinrich further teaches wherein said managing of said risk 
comprises: 

determining the distribution of the number of assets as a function of associated 
measured risk (paragraph 0045, regarding assigning value to each risk to calculate an 
overall risk); 

determining a maximum acceptable risk level (paragraph 0048, regarding upper 
limit of the risk severity); and 
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applying one or more controls if any of said assets exceeds said maximum 
acceptable risk level (paragraph 0168, regarding implementing changes to eliminate or 
downgrade risks). 

Regarding claim 26, Heinrich further teaches wherein said acceptable risk level 
comprises the lower of the highest available measured risk or 100% (paragraph 0058). 

Claims 2-5, 7, 9-13, 15, 20, and 22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Heinrich (US 2003/0046128) and Tschiegg et al (US 2003/0160818) 
in further view of Lovejoy et al (US 2002/0138416). 

Regarding claims 2 and 17, Heinrich in view of Tschiegg teaches a method as 
claimed in claim 1 . Heinrich in view Tschiegg of does not directly teach identifying asset 
custodians. However, Lovejoy teaches identifying one or more asset custodians, each 
comprising a custodian of a respective asset, and identifying one or more of said assets 
(paragraph 0056 and 0060, regarding the category of users that inventory the assets). 

It would have been obvious to one of ordinary skill in the art to include the 
business system of Heinrich in view Tschiegg with the ability to identify asset custodians 
as taught by Lovejoy since the claimed invention is merely a combination of old 
elements, and in the combination each element merely would have performed the same 
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function as it did separately, and one of ordinary skill in the art would have recognized 
that the results of the combination were predictable. 

As to claim 3, Lovejoy further teaches wherein each of said custodians is an 
employee with care-taking responsibilities (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets). 

With respect to claim 4, Lovejoy further teaches including maintaining a register 
of said assets (paragraph 0055, regarding the inventory of assets stored in a database). 

Regarding claim 5, Lovejoy further teaches wherein said register includes a 
respective owner of each of said assets (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets; also see page 20 of applicant's specification 
where custodians can also be owners). 

As to claims 7 and 20, Lovejoy further teaches the register of zones as taught by 
Tschiegg including a respective custodian of each of said zones (paragraph 0056 and 
0060, regarding the category of users that inventory the assets). 

With respect to claim 9, Tschiegg in view of Heinrich teaches a method as 
claimed in claim 2 wherein each of said assets is information related. Lovejoy further 
teaches where each of said asset custodians is an information custodian, each 
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comprising a custodian of a respective information storage device within said 
organization (paragraph 0056 and 0060, regarding the category of users that inventory 
the assets). 

As to claim 10, Lovejoy defines custodians including users, risk assessor, 
security practitioner (physical and environmental custodian) and system administrators 
(MIS support custodian) (paragraph 0056). Lovejoy does not directly teach network 
custodians or software engineering custodians. However, the simple substitution of one 
known element for another producing a predictable result renders the claim obvious. 
Therefore, it would have been obvious to one with ordinary skill in the art to add 
additional network custodians and software engineering custodians to the system in 
Lovejoy. 

Regarding claims 11 and 12, whether the zone assessment is conducted by the 
respective custodian or owner of said respective zone is representative of descriptive 
material that does not modify the functionality of the underlying method to distinguish 
the claimed invention from the prior art. In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 
401, 404 (Fed. Cir. 1983). Therefore, it would have been obvious to one with ordinary 
skill in the art to have the custodian or owner of the asset conduct the zone 
assessment. 
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As to claims 13 and 22, Lovejoy further teaches regarding the loss of an asset as 
equivalent to the loss of a system of which said asset is a part (paragraph 0063, 
compromised assets causing a loss to the organization). 

With respect to claim 15, Lovejoy further teaches wherein none of said 
custodians is an owner (paragraph 0056 and 0060, regarding the category of users that 
inventory the assets). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to BRAND I P. PARKER whose telephone number is (571) 

272- 9796. The examiner can normally be reached on Mon-Thurs. 8-5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Bradley B. Bayat can be reached on (571) 272-6704. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
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Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/BRANDI P PARKER/ 
Examiner, Art Unit 3624 



/Bradley B Bayat/ 

Supervisory Patent Examiner, Art Unit 3624 



